[syslog-ng] file written in the wrong place

Paolo Supino vrkid at yahoo.com
Mon Dec 26 07:49:09 CET 2005 

Hi 

  Thanx Sandor. Your suggestions solved the problem. I think I
misunderstand something: When a message is received and the filter
statement is host(something). Does the filter parse the message to look
for the string or matches the message based on the server that sent the
message? 



TIA 
Paolo 


--- Sandor Geller <wildy at balabit.hu> wrote:

> Paolo Supino wrote:
> > Hi 
> > 
> >  I've installed syslog-ng 1.6.8 on a Linux FC4 system to act as a
> > centeralized logging server. For a while everything was fine, until
> I
> > tried to add another statement to one of the filters. After the
> > addition syslog-ng started writing the destination files in the
> wrong
> > places, writing the same file in 2 locations and ignoring messages
> sent
> > from certain origins. 
> 
> Which filter is causing your problems?
> 
> > # destinations
> > destination d_switch { file("/var/log/company/switches/$HOST.log"
> > perm(0644)); };
> > destination d_edge { file("/var/log/company/edge_devices/$HOST.log"
> > perm(0644)); };
> > destination d_fw { file("/var/log/company/firewalls/$HOST.log"
> > perm(0644)); };
> > destination d_router { file("/var/log/company/routers/$HOST.log"
> > perm(0644)); };
> 
> Use the $FULLHOST macro, not just $HOST
> 
> > # filters
> > filter f_edge        { host("edge*") or host("10.10.*"); };
> > filter f_router      { host("3600-primary") or
> host("backbone-3550") or
> > host("secondary-3550"); };
> > filter f_switch      { host("sw*") or host("backbone-5510") or
> > host(pp8600*); };
> > filter f_fw          { host("fw*"); };
> 
> You should check your hostnames, whether they contain your filter
> patterns. I suggest using "^edge.*"-style regexp, this is more
> precise
> than "edge*". I suspect your fully qualified hostnames contain
> somewhere
> the "fw" or the "sw" strings.
> 
> > # wrap everything up
> > log { source(s_net); filter(f_switch); destination(d_switch); };
> > log { source(s_net); filter(f_router); destination(d_router); };
> > log { source(s_net); filter(f_edge); destination(d_edge); };
> > log { source(s_net); filter(f_fw); destination(d_fw); };
> 
> Consider using the "final" flag in your log sections, this can
> improve
> the performance of syslog-ng, but be aware that if sou use final,
> then
> the order of your log sections does matter!
> 
> -- 
> Sandor Geller
> wildy at balabit.hu
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
> 
> 



	
		
__________________________________ 
Yahoo! for Good - Make a difference this year. 
http://brand.yahoo.com/cybergivingweek2005/

More information about the syslog-ng mailing list